CACHE_REQ: Fix typo: cache_reg -> cache_req Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache: Check for max_id/min_id in cache_req The cache_req code doesn't check the min_id/max_id boundaries for requests by ID. Extending the .lookup_fn function in each plugin that searches by ID for a check that returns non-zero if the entry is out of the range and 0 if not. Resolves: https://pagure.io/SSSD/sssd/issue/3569 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

CACHE_REQ: Implement the plugin methods that utilize the domain locator API Mainly, this patch adds handlers for the dp_get_domain_check_fn(), dp_get_domain_send_fn() and dp_get_domain_recv_fn() functions to requests that resolve objects by ID. This patch also adds domain-local negcache setter for by-id methods Previously, the by-ID methods only used global negative cache setters because the ID space is global and we always iterated over all domains. However, with addition of the domain locator plugin, we want also to skip only certain domains and the easiest way to to so is to add the IDs for domains that do not contain these IDs to the negative cache with the get-account-domain request. Therefore this patch also adds per-domain negative cache setters for the three plugins that search by ID. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

CACHE_REQ: Add a private request cache_req_locate_domain() Adds a new request cache_req_locate_domain_send/recv. This request, if the plugin that is being processed supports the locator, will call the plugin's dp_get_domain_send_fn(). On any error, the request returns just the error code. On success, the request returns the domain the object was found at. If the getAccountDomain() method returns that the back end does not support the locator method, all further getAccountDomain() calls are disabled for that domain. Related: https://pagure.io/SSSD/sssd/issue/3468 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

CACHE_REQ: Export cache_req_search_ncache_add() as cache_req private interface Previously, it was enough to add an entry to the negative cache of the domain being processed in cache_req (cr->domain). But the locator plugin can return any domain from the processed domain's subdomain list as well. Therefore, this patch extends the internal API for the possibility of setting the negative cache in another domain as well. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

CACHE_REQ: Add cache_req_data_set_bypass_dp() Similar to cache_req_data_set_bypass_cache() cache_req_data_set_bypass_dp() can be used to control how the cache_req framework performs the lookup. If cache_req_data_set_bypass_dp() is used with 'true' only a cache lookup is performed and no request is send to the backend even if no entry was found. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CACHE_REQ: Pull sessionRecording attrs from initgr After entires are retrieved by cache_req for user info requests (except initgr), overlay them with sessionRecording attribute retrieved from an initgr request made additionally for each entry. Do not do additional initgr requests with selective session recording enabled, if we don't have any group names to match against in session recording configuration. Only do user name matches instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ_RESULT: Introduce cache_req_create_ldb_result_from_msg_list() Similarly to what cache_req_create_ldb_result_from_msg() does this new function creates a new ldb_result from a list of ldb_message. It's going to be used in the follow-up patch where some messages from ldb_result may be filtered and then a new ldb_result has to be created. Related: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Domain type selection in cache_req Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Check the caches first This patch introduces a new configurable option to define whether the responder should query all domains' caches before querying the Data Providers. This new option is called cache_first and, by default, it's disabled, meaning that, for each provider, the responder may contact the cache and the data provider in the same iteration. Co-Author: Pavel Březina <pbrezina@redhat.com> Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Move result manipulation into a separate module This patch is preparing the field for coming up patches where new lookup logic will be added. Taking this into consideration let's move the result manipulation code into a separate module and focus purely in the lookups logic in the main module. Related: https://pagure.io/sssd/sssd/issue/3001 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

CACHE_REQ: Add cache_req_data_set_bypass_cache() This new cache_req_data method has been added because of the upcoming changes in the PAM responder. For deciding whether to contact the cache, or just query the data provider directly, PAM responder calls pam_initgr_check_timeout() which will return whether the cache entry may still be valid. The cache will be contacted only in case the cache entry is still valid, otherwise the data provider will be called. pam_initgr_check_timeout() basically checks whether the user (being looked up) is still a part of an in-memory hash table. Because the entry is a part of the hash table for really short period of time, and is automatically removed, the communication with the data provider is forced to happen quite often. As the follow-up changes should not modify this behaviour, this function was introduced so we can still call pam_initgr_check_timeout() and pass its result to the cache_req call that will perform the lookup. Related: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: add host by name search Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: move dp request to plugin This will allow to use cache req even for object that do not use account request such as hosts. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: do not set ncache if dp request fails We will only remember entry in the negative cache if the data provider requests succeeded because only then we can be sure that the entry does not exist. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: improve debugging The original debugging was unnecessarily large. I removed request name from all debug messages (keeping the request number). The name is now print only when a new request is created. I also added an explicit message to see what object are we currently looking up. For example: [cache_req_set_plugin] (0x2000): CR #4: Setting "Group by ID" plugin [cache_req_send] (0x0400): CR #4: New request 'Group by ID' [cache_req_select_domains] (0x0400): CR #4: Performing a multi-domain search [cache_req_set_domain] (0x0400): CR #4: Using domain [LDAP.PB] [cache_req_search_send] (0x0400): CR #4: Looking up GID:20001@LDAP.PB [cache_req_search_ncache] (0x0400): CR #4: Checking negative cache for [GID:20001@LDAP.PB] [cache_req_search_ncache] (0x0400): CR #4: [GID:20001@LDAP.PB] is not present in negative cache [cache_req_search_cache] (0x0400): CR #4: Looking up [GID:20001@LDAP.PB] in cache [cache_req_search_send] (0x0400): CR #4: Returning [GID:20001@LDAP.PB] from cache [cache_req_create_and_add_result] (0x0400): CR #4: Found 1 entries in domain LDAP.PB [cache_req_done] (0x0400): CR #4: Finished: Success Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: make plug-ins definition const Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: return well known objects in object by sid Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: allow to return well known object as result When we are looking name by sid or sid by name we want to be also able to translate well known sid/name into its pair equivalent. This adds the ability to mock cache_req_result if a well known object is found. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for service by name Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: encapsulate output data into structure In enumeration calls we want to get objects from all domains, not only from the first matched domain. We move the cache search result into a structure that contains combination of domain and ldb_result. This is preparation for enumeration support inside cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: move from switch to plugins; add logic cache_req grown quite big from the original code and it turned out that using switch statements to branch code for different cases makes the code quite hard to read and further extend and any modification to the logic itself is difficult. This patch changes the switch statements to plugins with small functions and separates logic into multiple modules. This gives us better control over the code and improves readability and maintainability while keeping code duplication to minimum. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>